Albiriox is a new Android malware that recently appeared on cybercrime forums. It offers advanced remote-access features and is sold as a Malware-as-a-Service tool. Researchers at Cleafy found that the main goal of this malware is to perform On-Device Fraud. It gives attackers full control of an infected device and lets them bypass security checks to steal money from banking apps.
All about Albiriox malware
The malware first showed up in private forums in September 2025 and later became available to more buyers in October. The operation is linked to Russian-speaking threat actors who market the tool to cybercriminals. The subscription costs about $650 per month and gives access to the full set of features.
Albiriox is more advanced than normal credential stealers. It includes a VNC module that streams the victim’s screen in real time. Attackers can see everything happening on the device and control it as if they were holding the phone.
This real-time access lets them perform banking fraud directly on the device without the user noticing. Because the actions happen on the real device, the malware can bypass device fingerprinting and defeat two-factor authentication.
Two-Stage Infection Chain
Albiriox spreads through a simple but effective two-step method designed to avoid detection. Early attacks focused on users in Austria by using a fake version of the popular Penny Market app.
The infection process works like this:
Victims receive an SMS with a shortened link offering prizes or discounts. The link leads to a fake Google Play Store page.
The user then downloads a dropper app, such as the fake Penny app.
After installation, the dropper asks for “Install Unknown Apps” permission and then downloads the real Albiriox malware from a command-and-control server.
Recent campaigns also use WhatsApp messages. Users are asked to enter their phone number to get the download link. This helps attackers target specific regions, such as Austria.
Albiriox is built for stealth and full control. It uses a service called Golden Crypt to stay hidden from antivirus tools. Once running, it abuses Accessibility Services to perform overlay attacks and record keystrokes.
The malware includes a hardcoded list of more than 400 apps. These apps include major banking apps, crypto wallets, and global payment services.
Feature: Android banking trojan / Remote Access Trojan
Model: Sold as Malware-as-a-Service
Main Methods: On-device fraud, overlay attacks, VNC screen streaming
Target Range: 400+ banking and crypto apps
Evasion: Golden Crypt obfuscation, JSONPacker, two-stage dropper
C2 Communication: Unencrypted TCP with JSON commands
Albiriox is evolving quickly and is becoming a strong tool for financial fraud. Its mix of screen streaming and accessibility abuse allows attackers to operate in the background without the user noticing, making it a major threat to Android users and financial institutions.
Leave A Comment